Australian metadata laws put confidential interviews at risk, with no protections for research

Each year, academics and students make countless applications for research ethics approval, based on the promise of confidentiality to their interview subjects. Interviewees sometimes offer academic researchers information that might be self-incriminating or might jeopardise the rights and liberties of others they’re discussing.

But Australia’s metadata retention laws can lead to the identification and even incrimination of the very people whose identities academic researchers have promised to keep secret for their work.

Read more: Think your metadata is only visible to national security agencies? Think again

Imagine, for instance, a criminologist conducting a project examining white collar crime in banking and financial services. The academic’s confidential interviews with former company directors and executives might elicit specific and revealing answers. It could lead to potential redundancy or even jail time, depending on their vulnerability and culpability.

Under the metadata laws, government agencies make hundreds of thousands of requests to Australian telcos each year for their customers’ phone and internet communications metadata.

For the criminologist, this means relevant agencies can ask telcos to access his or her metadata in the form of call records and computer IP addresses. This means they can identify whether a person of interest has been in communication with the researcher and is the possible source of incriminating material. Other investigations and legal steps might then follow.

Interviews about a range of sensitive research topics may be at risk. These include immigration, crime and corruption, national security, policing, politics, international relations and policy.

The impact of metadata laws on journalists and their sources have been well documented. But we can only wonder how many people will agree to participate in academic research if they are made fully aware of the real potential of being identified by investigators.

Who has access?

Metadata – or telecommunications data – is information held by telcos about communication from a digital device. This includes the phone numbers of people who call each other and how long they talk, as well as details on text messages (the address from which a message is sent and the time it’s sent).

Telcos are not allowed to disclose the “contents or substance of a communication”. But the metadata forms a key part of the investigative trail.

Since 2015, telecommunications and internet providers have been required to store metadata from phone calls and other digital communications for at least two years under the Telecommunications (Interception and Access) Act 1979.

Read more: Seven ways the government can make Australians safer – without compromising online privacy

Intelligence, policing and corruption bodies, the Department of Home Affairs, ASIC and the ACCC are agencies that are entitled to request this data. And some suggest many more government agencies at all three levels of government might be requesting metadata from telcos.

The weak protections offered to journalists won’t help researchers

A 2006 Australian Law Reform Commission inquiry into evidence laws raised the prospect of medical and social researchers being entitled to a confidentiality privilege for their research communications, but it was not implemented.

The only confidential relationship acknowledged by the metadata retention laws is the journalist-source relationship. This is where “journalist information warrants” must meet a certain threshold, reviewed in secret by an anonymous public interest advocate.

Should this protection be extended to researchers?

My colleagues and I made a recent submission to the Parliamentary Joint Committee on Intelligence and Security examining the metadata retention laws. It focused on the fact journalism educators and journalism students might not qualify for even the minimal protections offered to professional journalists.

When agencies seek a warrant for information, the law requires:

the public interest in issuing the warrant outweighs the public interest in protecting the confidentiality of the identity of the source.

But the opaque scheme has been described by the journalism union as mere “cosmetic dressing” because the whole review process takes place in secret, by anonymous individuals, without the knowledge or legal representation of journalists or their sources. Even the journalists who have been subjected to the process remain unaware their data has been targeted.

Extending this protection to academic researchers in its current form would offer minimal comfort to confidential interviewees.

Read more: Police want to read encrypted messages, but they already have significant power to access our data

No warrant needed

Even encryption is no longer watertight as protective a strategy against agencies accessing metadata. Amendments last year introduced three levels of request agencies might make to telcos to de-encrypt data, starting with a simple voluntary “technical assistance request”.

Read more: Australians accept government surveillance, for now

There is no indication of the number of times agencies might have accessed researchers’ metadata because such detailed records are not published by the attorney-general or the ombudsman.

But the Commonwealth attorney-general finally revealed last month that during 2017-2018, 58 historical data authorisations were made under warrants issued to the AFP to get information from journalists.

For academic researchers, no such warrants are required. So, metadata requests about confidential interviewees would sit among the 300,000-plus requests made annually by agencies.

The issue is at least on the radar of some university research ethics committees. They take special precautions when approving confidential interviews in some circumstances, such as requiring researchers advise interviewees that absolute confidentiality might not be guaranteed.

Read more: How surveillance is wrecking journalist-source confidentiality

But there should be greater awareness of potential dangers that await their “confidential” interviewees who might have agreed to be interviewed without even contemplating the consequences.